NIS2: Supply chain security, a must for every organisation
NIS2 | Supply chain security
Through our blogs, we explain an important part of the NIS2 legislation with practical tips on how to take action. Want to know if you will soon be covered by the NIS2 legislation? Then look here for the government's NIS2 self-assessment.
Responsibilities | Obligations
- Supervision: The NIS2 directive includes stricter supervision of key and important entities in critical sectors. This includes risk management, incident reporting and compliance checks. Regulators will eventually carry out both pre- and post-clearance checks, including inspections and audits, to ensure compliance and strengthen cybersecurity. You can think about risk management, incident reporting and security measures.
- Duty of care: Under the NIS2 directive, the duty of care means that organisations must conduct their own risk assessment and take appropriate measures to protect their network and information systems. This is for ensuring continuity of services and protecting the (personal) information used by the entity against cyber threats.
- Duty of notification: Under the NIS2 directive, essential and significant entities are required to provide an early warning to the Computer Security Incident Response Team (CSIRT) or competent authority on cyber security incidents within 24 hours of an incident. A detailed incident report must be provided within 72 hours. This reporting requirement will facilitate rapid response and mitigation of cyber threats.
Suppliers
Although often underestimated or even left out of scope, a crucial aspect of NIS2 is supply chain security. DeepBlue believes this should be a standard security agenda item at every organisation, because as the outsourcing of digital processes and technological advances increase, the attack surface for malicious actors increases exponentially.
Organisations need to pay attention to the security aspects of their relationship with suppliers, service providers and partners. This includes but is not limited to identifying vulnerabilities and assessing the quality of products and cybersecurity practices of the components of your supply chain. A tricky but important part. How do I tackle this?
Customer-friendly Control of Suppliers
First of all, organisations should realise that the components in their supply chain are not infrequently smaller in size than themselves and will therefore not have the same resources and/or capacity. Any (security) processes or audits may therefore take longer than might be desirable. It is therefore very important for organisations to start identifying and assessing their supply chain in good time. Below are a number of things to think about and how to handle these components. Of course, the following is described in general terms and in some cases a different approach will be desired.
Transparency and Communication: Transparency and communication are essential for customer-friendly supplier auditing under NIS2. This includes openly sharing your security expectations with your suppliers, clearly communicating compliance requirements and setting shared goals. By engaging in conversation, you strengthen relationships, promote understanding and cooperation, and ensure more effective supplier chain security.
Regular Reviews: When implementing customer-friendly controls for NIS2 at suppliers, it is essential to use clear, business-like communication. Explain the need for compliance and emphasise the mutual benefit of increased cyber security. Ensure transparency on control procedures and offer support for any adjustments. Prioritise cooperation and understanding, and approach auditing as a partnership to meet NIS2 requirements together.
Collaboration and Support: Collaborate with your suppliers. It promotes transparency on cybersecurity standards. By providing support and working together, such as sharing best practices and possibly organising training sessions or meetings, organisations can work together to strengthen the security chain. This will ultimately lead to improved resilience against cyber threats for all parties involved.
Contractual Obligations: Ensure that contracts and any Service Level Agreements (SLAs) with suppliers contain clear security clauses, requirements and obligations. This includes specifying security standards, compliance requirements and sharing responsibilities. Contracts should include clear incident reporting and audit procedures, focusing on both compliance and flexibility towards suppliers. You can think here about sharing, for instance, penetration test results including the mitigating measures that (will) be taken.
Response planning: Work with suppliers on a coordinated response plan for any security incidents. Important here is that suppliers are well prepared for cyber incidents. This means having a plan ready to quickly detect, assess and address irregularities. Plan exercises with regularity and in advance, and ensure that a roadmap is in place to efficiently report any incidents to the appropriate authorities.
Collaboration in all these parts will strengthen your chain. Also read NIS2, what does it mean for your organisation? in our previously written article.
Advisory
Aware that supply chain security is a crucial aspect of NIS2. Organisations covered by NIS2 are responsible for the security of their supply chain. This means that they must work with their suppliers to ensure the security of their information systems and networks.For advice or more information, we invite you to contact us at:
Contact: +31 (0)70-800 2025
Or read more at: DeepBlue Security & Intelligence